Browsed by
Month: July 2018

Bank-grade Security or Why Blocking Password Pasting is not a Good Security Strategy

Bank-grade Security or Why Blocking Password Pasting is not a Good Security Strategy

Your friend creates a website. You are curious and you ask him: “is it secure?”, which, in your mind, probably means “did you secure your website to the best of your abilities?” and your friend replies: “Yes, it has bank-grade security”. Oh, “bank grade security”, damn! That means it’s very secure! Before you intervene, I am by no ways stating that banking websites are insecure – I am interested in how banks and other financial institutions deal with passwords though….

Read More Read More

Carriage Return Line Feed (CRLF) Injection Explained

Carriage Return Line Feed (CRLF) Injection Explained

How does a server know when a new header begins and the old one ends or when a line is terminated? Simple. In order to note the termination of a line, \r\n or %0D%0A characters are used. These characters refer to Carriage Return (\r) Line Feed (\n). The characters can (and are) used in HTTP responses. To note the end of a line, they can also be used in files. Is it dangerous? A Carriage Return Line Feed (CRLF) Injection vulnerability occurs…

Read More Read More

2017 OWASP Top 10 for PHP Developers Part 10: Insufficient Logging & Monitoring

2017 OWASP Top 10 for PHP Developers Part 10: Insufficient Logging & Monitoring

Another day, another web application gets hacked. Most of the time web application hacks fly under the radar and are discovered years after the data breach occurred, but every so often, after learning what had happened, website administrators hire computer forensic experts in order to help reconstruct and solve high-tech (computer-related) crimes. Every computer forensic expert (or a team of computer forensic experts) has different methods of approaching and solving the problem – but in many cases, the very first thing computer…

Read More Read More

2017 OWASP Top 10 for PHP Developers Part 9: Using Components with Known Vulnerabilities

2017 OWASP Top 10 for PHP Developers Part 9: Using Components with Known Vulnerabilities

Attacks on today’s web are an unsurprising reality – websites are hacked daily, data is being stolen and leaked left, right and centre. In many (though not all) cases, attacks on web applications are successful because a targeted web application is susceptible to security vulnerabilities – vulnerabilities which derive from its components. In the penultimate segment of the 2017 OWASP Top 10 series, I will cover how using components with known vulnerabilities can affect your web application, tell how such risks are…

Read More Read More

2017 OWASP Top 10 for PHP Developers Part 8: Insecure Deserialization

2017 OWASP Top 10 for PHP Developers Part 8: Insecure Deserialization

When developing a web application, web developers sometimes need to first turn data into a proper format so that it can be processed. Occasionally, converting data into a proper format is a requirement in order for it to be stored in a file, database or simply to boost effectiveness. Here’s where serialization comes in – serialization in web applications covers turning data into a stream of bytes so that it can be, for example, stored in a database or in a…

Read More Read More